With news that the Cybersecurity Maturity Model Certification (CMMC) implementation is being pushed back (again) to 2024, the CMMC pilot program (called Joint Surveillance) becomes ever more important as it is the only option for organizations that desire to be a first mover in receiving their CMMC certification. At last check, there have been a total of seven completed assessments under the pilot program, and while that may seem low, interest is clearly high as our CMMC Third Party Assessor Organization (C3PAO) teams continue to receive questions about the program from Organizations Seeking Certification (OSC). This blog post addresses the most common questions we have seen.
What is the Joint Surveillance Program (JSP) for CMMC?
In short, it is a pilot program for CMMC that is being executed BEFORE rulemaking finishes. A CMMC 3PAO assessment team is paired with a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment team to conduct a DIBCAC High assessment. Under the JSP, the result of the DIBCAC High Assessment is received right away. The DoD has indicated the intent to have that translate into a CMMC Level 2 certification issued by the participating C3PAO upon the CMMC rule being published. The 3-year recertification clock would then start at the time of rulemaking.
Why does the Joint Surveillance Program exist?
When the DOD pulled back on the interim rule for CMMC 1.0 in October 2021, they lost the mechanism for CMMC assessments in 2022 and (now) 2023. Joint Surveillance allows the program to get underway prior to the final rulemaking, since it is under the DIBCAC High assessment authority. C3PAO’s are able to get experience, the DIBCAC gets feedback from the pilot program, the supply problem of C3PAOs is somewhat mitigated (it does not hurt at least) and OSC’s are given an opportunity to (hopefully, pending rulemaking) be first in-line to receive a CMMC Certification.
What is a DIBCAC High assessment?
It is an assessment against the NIST 800-171 security controls which is what CMMC Level 2 is based on. Because the controls are almost identical, an assessment of one can determine satisfaction of the security controls and objectives being met for the other. See both assessment guides here and here as well as the DoD’s assessment methodology.
Who should do Joint Surveillance (JS)?
Those who have DIBCAC assessment requirements outside of CMMC as JS is potentially two assessments/certifications for the price of one.
Those that want to be first movers in CMMC as a competitive advantage, and have the certification immediately upon rulemaking being finalized. In other words, those who want to be CMMC certified from day one assuming the DoD follows through on giving credit for JSP in final rulemaking.
Those who have contracts with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 that are coming up for renewal/recompete in 2024, since those contracts are likely being considered as the first CMMC contracts post rulemaking.
Those who want to beat the expected rush to schedule an engagement with a C3PAO once rulemaking is complete. With the JSP, you can have your pick of the limited number of authorized C3PAOs in the marketplace and choose the right one on your terms without any market pressure on prices and/or capacity/availability of the highest quality C3PAOs.
What are risks of doing Joint Surveillance?
The main risk is that everything is not yet finalized in writing. We already saw a big change from CMMC 1.0 to 2.0 and who is to say the final rule won’t look different than what was advertised when CMMC 2.0 was announced. For example, the use of Plans of Action and Milestones (POA&Ms) and what is permitted has not been defined. The current thought process is that 5-point controls (from NIST 800-171) will not be POA&M-able whereas 1-point controls likely will be. What about 3-point controls? This impacts your assessment.
Reciprocity is another example. Will there be reciprocity with FedRAMP? The DoD has said yes, but until it is written how does a C3PAO judge inheritance of the security controls during a JSP assessment varies from C3PAO to C3PAO (you should ask this question to your C3PAO if your company is considering JSP!)
Even the CMMC Assessment Process (CAP) from the Cyber AB is still in draft form (and will be influenced by rulemaking). If things change (or simply are not defined at this time and then later become defined) you may need to update your assessment.
Furthermore, because there is little to no documentation on JSP, assessments can be a little disjointed due to the newness and the fact that 3 separate organizations are involved (Cyber AB, DIBCAC, C3PAO). And what if the DoD doesn’t follow through on their intent to give credit for JSP and allow it to turn into a CMMC level 2 certification?
Why do Joint Surveillance?
Assuming the DoD follows through with their stated intent to convert JSP assessments to CMMC Level 2 certifications upon final rulemaking, you will be the first to receive CMMC certification post-rulemaking giving you a competitive advantage when it begins to show up as a requirement for contracts. Due to the expected supply problem (i.e. there are not enough C3PAOs for OSCs), it is easy to see why being a first mover if you are ready for an assessment will have its advantages. Some C3PAOs are also offering discounts during JSP due to the pilot nature of it (Ariento is one of them, you can reach out here if you want to have a conversation with one of our assessment teams).
What if I fail?
You can’t technically fail a DIBCAC High, you get a score and it is entered into SPRS after the assessment is complete. If you didn’t have a requirement for it in the first place, there is little to no impact (assuming you didn’t report an incorrect score to SPRS and set yourself up for the false claims act). If you are permitted to remediate by the assessors, you will have to assess again after remediating.
What if we think we’ll need CMMC Level 3?
CMMC Level 3 is not part of the current rulemaking and is unlikely to be seen in 2023 or 2024. For that reason, CMMC Level 2 is currently the highest level of assessment possible. It is an open question to the DOD and Cyber AB as to whether you will be able to count your CMMC Level 2 certification towards CMMC Level 3 (and hence only be assessed on only the delta controls) Level 3 is rolled out.
What is process if I want to do a Joint Surveillance Assessment?
You must be nominated to the DIBCAC by a C3PAO via the Cyber AB. Once submitted, the DIBCAC will contact you (the OSC) directly for scheduling if selected.
How does DIBCAC select OSCs?
While some of this process is a black box, you must have an active DoD contract to be considered. If you have a DIBCAC assessment requirement in 2023, you are even more likely to be selected as you are already going to need to be on the DIBCAC’s calendar.
If I already have a DIBCAC High assessment scheduled, can I change to a Joint Surveillance?
Yes. In fact, the fact that you are already on the DIBCAC’s calendar means barring something unexpected you are more likely be selected for Joint Surveillance.